Risk Management Policy

1.1 The Board of Medusa Mining Limited (the “Company” or “Medusa”) recognises that ‘risk oversight’ is a core function of the Board that underpins its commitment to protecting and enhancing shareholder value.
1.2 This policy outlines the Board’s desire to better manage risk, with the establishment of a control framework to assist in identifying, assessing, monitoring and managing risks, so as to safeguard the assets and interests of the Company as well as to ensure the integrity of reporting.
1.3 The Board is ultimately responsible for the business risks of the Company, however the day to day management of these risks will be handled by the Chief Executive Officer (“CEO”) (operating within the framework of this policy), reporting directly to the Board on all matters associated with risk management.

2. DUTIES OF THE CEO

2.1 The duties of the CEO, in the risk management process, will be to:

(a) identify and prioritise risks arising from and to business strategies and activities;
(b) develop and advise the Board on the level of risk that is acceptable to Medusa, including the acceptance of risks designed to accomplish strategic plans;
(c) develop risk mitigation activities that when implemented will reduce or otherwise manage risk at levels that have been determined to be reasonable. Examples of which include, risk minimisation procedures, cost effective insurance or other risk shifting activities;
(d) undertake the monitoring of business activities to periodically reassess risks and the effectiveness of controls to manage such risks; and
(e) supply to the Board, annual (or when appropriate) reports on the risk management process.

2.2 In fulfilling the duties outlined in paragraph 2.1, the CEO will have unrestricted access to Company employees, contractors and records and may obtain independent expert advice on any matter the CEO believes appropriate.

3. RISK PROFILE

3.1 A risk profile is a description of material business risks, relevant to Medusa and includes both financial and non-financial matters.
3.2 The Board recognise that Medusa’s main business risks are determined by the nature of its business activities and assets and are aware that other factors (both external and internal) that could influence the risk profile of the Company.

(a) The Board has identified the following risk factors that could influence the risk profile of the Company:

• Economic risks: [Company may be exposed to general economy wide risks, which include the state or health of the industry sector, foreign exchange and interest rates, equity and commodity prices and a nation’s economic well-being. These risks are specifically contemplated by, and set out in, the Company’s Risk Management Policy.]
• Environmental risks: [The Company’s activities are expected to have an impact on the environment, and the Company may be responsible for environmental liabilities associated with its mining activities. The Company aims to monitor environmental risks and obligations so as to remain compliant with applicable environmental laws. The Company also has a Safety, Health and Environmental Committee that aims to assist with monitoring and reporting on environmental-related risks and issues.]
• Social sustainability risks: The Company is exposed to social sustainability risks. The risks could include the potential breakdown of business relations of the Company and the possibility that the safety of the Company’s employees is adversely impacted. The Board has a focus on maintaining strong communications with its key stakeholders, and ensuring that key business relations are maintained. In addition, the Company has a Safety, Health and Environmental Committee that aims to assist with monitoring and reporting on safety and health-related risks, as well as a Code of Conduct for employees dealing with stakeholders and ensures integrity and fair dealing in business affairs

4. GUIDELINES FOR MINIMISING RISKS

4.1 The Company strives to manage risk as best as it possibly can and has introduced the following guidelines to minimise operational risks, by ensuring that:

(a) all employees be made aware of their duties;
(b) the Company assign authority based on skill and experience;
(c) all agreements are recorded and documents safeguarded to substantiate dealings with external parties;
(d) the Company has in place insurance policies to minimise the risk of loss through accidents or other adverse incidents;
(e) the Board receives on a regular basis, reports of its operational activities;
(f) Medusa has in place health and safety practices for its employees to maintain an acceptable level of health and safety in its working environment;
(g) Medusa has established proper procedures to ensure that it complies with its ‘continuous disclosure’ obligations to the ASX and that any information released to the market is materially correct.

4.2 The Board is also aware that the Company has the potential to be exposed to financial loss as a result of fluctuations in market factors that are beyond the Company’s control, for example prices and rates.
As market factors are dynamic in nature, all risk positions are continually monitored to ensure that the Company’s activities are consistent with the approach and strategy approved by the Board.
In an attempt to minimise risk in areas of the Company’s activities that are subject to external factors, beyond the control of the Company, the following guidelines have been initiated:

(a) receiving regular reports on the market relating to indexes, interest rates, foreign exchange, commodities, economic news;
(b) ensure that any new financial market products are subjected to detailed risk analysis before a decision is made to investment in those products;
(c) ensure that a report is prepared for the Board outlining ‘pros & cons’ as to why the Company should invest in any listed companies;
(d) only trading in financial products that can be managed and monitored effectively ‘in-house’;
(e) all transactions of a ‘speculative’ nature are not permitted;
(f) notwithstanding, any of the steps mentioned above, no investment of any nature is allowed that will expose shareholders’ funds to undue risks.

5. INTERNAL CONTROL SYSTEM

5.1 Whilst the Board acknowledges that it is responsible for the overall internal control framework of the Company in risk management, it is also cognisant that no cost effective internal control system will preclude all errors and irregularities.
5.2 The Board reviews the effectiveness of the Company’s system of internal control, including a review of financial, operational, compliance and risk controls on a continual basis.
5.3 Any control not operating effectively, is initially corrected and then modified to include a mitigating control that will reduce risk to an acceptable level.
5.4 The CEO and the Chief Financial Officer (or equivalent) are required to provide formal representation to the Board confirming that:

(a) the integrity of the Company’s financial report is founded on a sound system of risk management and internal compliance and control based on the policies adopted by the Board; and
(b) the Company’s risk management and internal compliance and control system is operating efficiently and effectively in all material aspects.

5.5 In satisfying its risk oversight role, the Board may require appropriate management assurance from the CEO and CFO against other material business risks (and associated controls).
5.6 Every employee of the Company has the duty for reporting any known breach of the guidelines introduced by the Company to minimise risks.
5.7 The key test (indicative but not conclusive) for whether a risk management and internal control system is operating effectively, is the business outcomes that have been achieved.
Typically, business outcomes are monitored through key performance indicators (financial and non-financial), however, events outside of management’s control can sometimes lead to undesirable outcomes, which doesn’t necessarily mean that the risk management program in place is ineffective.